Owner: CoE Lead + Executive sponsor + Legal. Input: Block-authorized CoE Lead exists. Sub-steps:
- Draft a short (1-page) AI Risk Appetite Statement that answers:
- May AI draft customer-facing communications? (Yes / Yes-with-human-review / No)
- May AI take action in financial systems? (Limits?)
- May AI process customer PII / employee PII / regulated data?
- May AI influence decisions about people (hiring, lending, performance, access, healthcare)?
- Which jurisdictions are we in? (EU exposure? US-state exposure? Sector regulation?)
- Get executive sponsor + Legal + Security to sign off.
- Publish internally. Output / gate criteria: A signed, written, 1-page risk appetite statement everyone in the CoE can quote. Decision branches:
- Leadership won't commit to a position → the program isn't really sponsored. Escalate or pause. Skip-this-step risk: Every agent request triggers a fresh philosophical debate. Approvals stall. Builders make local guesses.